Cloud Providers

Granit is cloud-agnostic by design. Each module defines provider-neutral abstractions (IIdentityProvider, IBlobStorageProvider, IEncryptionService, etc.) and ships dedicated provider packages for major cloud platforms. Switch providers by changing a single NuGet reference and DI registration — no application code changes needed.

At a glance

Domain	AWS	Azure	Google Cloud	Alibaba Cloud
Authentication	✓	✓	✓	planned
Identity	✓	✓	✓	planned
Vault / Encryption	✓	✓	✓	planned
Blob Storage	✓	✓	✓	planned
Notifications — Email	✓	✓	✗	planned
Notifications — SMS	✓	✓	✗	planned
Notifications — Mobile Push	✓	✓	✓	planned
Total packages	7	7	5	0

Setup

// Program.cs — AWS provider stack
builder.AddGranitAuthenticationCognito();
builder.AddGranitIdentityCognito();
builder.AddGranitVaultAws();
builder.AddGranitBlobStorageS3();
builder.AddGranitNotificationsEmailAwsSes();
builder.AddGranitNotificationsSmsAwsSns();
builder.AddGranitNotificationsMobilePushAwsSns();

// Program.cs — Azure provider stack
builder.AddGranitAuthenticationEntraId();
builder.AddGranitIdentityEntraId();
builder.AddGranitVaultAzure();
builder.AddGranitBlobStorageAzureBlob();
builder.AddGranitNotificationsEmailAzureCommunicationServices();
builder.AddGranitNotificationsSmsAzureCommunicationServices();
builder.AddGranitNotificationsMobilePushAzureNotificationHubs();

// Program.cs — Google Cloud provider stack
builder.AddGranitAuthenticationGoogleCloud();
builder.AddGranitIdentityGoogleCloud();
builder.AddGranitVaultGoogleCloud();
builder.AddGranitBlobStorageGoogleCloud();
builder.AddGranitNotificationsMobilePushGoogleFcm();

AWS

Amazon Web Services packages use the official AWS SDK for .NET.

Package	Module	What it does
`Granit.Authentication.Cognito`	Authentication	JWT validation + claims transformation for Cognito User Pools
`Granit.Identity.Cognito`	Identity	`IIdentityProvider` via Cognito User Pool Admin API
`Granit.Vault.Aws`	Vault	`IEncryptionService` via AWS KMS + dynamic credentials via Secrets Manager
`Granit.BlobStorage.S3`	Blob Storage	`IBlobStorageProvider` via S3-compatible API (also works with MinIO, Scaleway, etc.)
`Granit.Notifications.Email.AwsSes`	Notifications	`IEmailSender` via Amazon Simple Email Service
`Granit.Notifications.Sms.AwsSns`	Notifications	`ISmsSender` via Amazon SNS
`Granit.Notifications.MobilePush.AwsSns`	Notifications	`IMobilePushSender` via Amazon SNS platform applications

See also: Identity — Vault & Encryption — Blob Storage — Notifications

Azure

Microsoft Azure packages use DefaultAzureCredential for authentication (Managed Identity, Azure CLI, etc.).

Package	Module	What it does
`Granit.Authentication.EntraId`	Authentication	JWT validation + claims transformation for Microsoft Entra ID (Azure AD)
`Granit.Identity.EntraId`	Identity	`IIdentityProvider` via Microsoft Graph API
`Granit.Vault.Azure`	Vault	`IEncryptionService` via Azure Key Vault
`Granit.BlobStorage.AzureBlob`	Blob Storage	`IBlobStorageProvider` via Azure Blob Storage
`Granit.Notifications.Email.AzureCommunicationServices`	Notifications	`IEmailSender` via Azure Communication Services
`Granit.Notifications.Sms.AzureCommunicationServices`	Notifications	`ISmsSender` via Azure Communication Services
`Granit.Notifications.MobilePush.AzureNotificationHubs`	Notifications	`IMobilePushSender` via Azure Notification Hubs

See also: Identity — Vault & Encryption — Blob Storage — Notifications

Google Cloud

Google Cloud packages use Application Default Credentials (ADC) or service account JSON keys.

Package	Module	What it does
`Granit.Authentication.GoogleCloud`	Authentication	JWT validation + claims transformation for Google Cloud Identity Platform (Firebase Auth)
`Granit.Identity.GoogleCloud`	Identity	`IIdentityProvider` via Firebase Admin SDK
`Granit.Vault.GoogleCloud`	Vault	`IEncryptionService` via Cloud KMS + dynamic credentials via Secret Manager
`Granit.BlobStorage.GoogleCloud`	Blob Storage	`IBlobStorageProvider` via Google Cloud Storage
`Granit.Notifications.MobilePush.GoogleFcm`	Notifications	`IMobilePushSender` via Firebase Cloud Messaging

See also: Identity — Vault & Encryption — Blob Storage — Notifications

Alibaba Cloud

Domain	Alibaba Cloud service	Status
Authentication	IDaaS	planned
Identity	RAM + IDaaS	planned
Vault / Encryption	KMS	planned
Blob Storage	OSS (S3-compatible)	planned
Notifications — Email	DirectMail	planned
Notifications — SMS	Short Message Service	planned
Notifications — Mobile Push	Push Notifications	planned

Cloud-agnostic providers

In addition to cloud-specific packages, Granit offers providers that work with any cloud platform:

Package	Channel(s)	Service
`Granit.Notifications.Brevo`	Email + SMS + WhatsApp	Brevo (formerly Sendinblue)
`Granit.Notifications.Email.Scaleway`	Email	Scaleway TEM (sovereign EU)
`Granit.Notifications.Email.SendGrid`	Email	SendGrid (Twilio)
`Granit.Notifications.Twilio`	SMS + WhatsApp	Twilio Messaging
`Granit.Notifications.Email.Smtp`	Email	Any SMTP server
`Granit.Notifications.WebPush`	Web Push	VAPID (standard)
`Granit.Notifications.SignalR`	Real-time	SignalR (WebSocket)

Feature comparison

Identity and Authentication

Capability	AWS (Cognito)	Azure (Entra ID)	Google Cloud	Alibaba Cloud
JWT validation	✓	✓	✓	planned
Claims transformation	✓	✓	✓	planned
User CRUD	✓	✓	✓	planned
Role management	✓	✓	✓ (custom claims)	planned
User cache sync	✓	✓	✓	planned
Health check	✓	✓	✓	planned

Vault and Encryption

Capability	AWS KMS	Azure Key Vault	Google Cloud KMS	Alibaba Cloud KMS
Encrypt / Decrypt	✓	✓	✓	planned
Dynamic DB credentials	✓	✗	✓	planned
Secret storage	✓	✓	✓	planned
Key rotation	✓	✓	✓	planned
Tenant-isolated keys	✓	✓	✓	planned
Health check	✓	✓	✓	planned

Blob Storage

Capability	AWS S3	Azure Blob	Google Cloud Storage	Alibaba Cloud OSS
Presigned upload	✓	✓	✓	planned
Presigned download	✓	✓	✓	planned
Tenant isolation	✓	✓	✓	planned
Health check	✓	✓	✓	planned

Notifications

Channel	AWS	Azure	Google Cloud	Alibaba Cloud
Email	✓ (SES)	✓ (ACS)	✗	planned
SMS	✓ (SNS)	✓ (ACS)	✗	planned
Mobile Push	✓ (SNS)	✓ (ANH)	✓ (FCM)	planned